When a Foswiki installation is publicly accessible from the internet, and you need to allow registrations, this inevitably attracts spammers. Even if you restrict permissions so that newly registered users cannot change or add any content, they can still use the fields provided in the UserRegistration
form to create keyword/link spam or, on Foswiki versions 1.1.4 and earlier, malicious HTML/script code (see Support.SecurityAlert-CVE-2012-1004
The default user registration mechanism is in use, and it is set up to allow registrations. Additionally, the installation is public, and public registrations need to be supported.
Prevent the user registration process from creating a reward for the spammer: restrict VIEW access on new user topics, so that search engines do not index the content, and prevent innocent clicks to the user topic from potentially exposing them to malicious script (but do ensure your Foswiki installation is up-to-date).
Customize your existing System.NewUserTemplate
by copying it to
, and add something like the following:
---++ Temporary restrictions
This user ([[%WIKIUSERNAME%][%WIKINAME%]]) needs to be added to a [[WikiGroups][WikiGroup]], then the following restrictions should be removed by somebody from the Main.ModeratorGroup:
* Set ALLOWTOPICVIEW = Main.ModeratorGroup, %WIKIUSERNAME%
* Set ALLOWTOPICCHANGE = Main.ModeratorGroup
Removing bogus/spammer user topics needs to be coordinated with removal of the corresponding username/pass/email lines from the
file (if using the default
| Category || Installation and Upgrading |
| Related Topics || Faq12 |